Episode #492: Why controlling identity is the first step to the Internet of Things – with Paul Madsen of Ping Identity

“Indescribable…indestructible! Nothing can stop it!” — movie poster from the movie The Blob

The Internet of Things is coming – maybe it is already here. There are so many predictions about how many devices will be connected to the network that I’ve lost count. Is it 50 billion? 500 billion? 1 trillion? Everything? Whatever the number, whatever the function, the fact is that most of what we will interact with will have an IP address and send and receive data.

This Internet of Things also comes with it a headache for managing your identity. Think about it: What does it mean to be always interacting with networks? How do you authenticate yourself? How do you approve when and where your identity is shared and with whom? What does this “always authenticated” world look like and who controls your “you”?

Paul Madsen works on these big problems every single day at Ping Identity – a company specializing in securing identity – and we try to cover as much of the good and bad of this soon-to-be always connected world in this episode.

Enjoy!

The Internet of Things is coming – maybe it is already here. There are so many predictions about how many devices will be connected to the network that I’ve lost count. Is it 50 billion? 500 billion? 1 trillion? Everything? Whatever the number, whatever the function, the fact is that most of what we will interact with will have an IP address and send and receive data.

This Internet of Things also comes with it a headache for managing your identity. Think about it: What does it mean to be always interacting with networks? How do you authenticate yourself? How do you approve when and where your identity is shared and with whom? What does this “always authenticated” world look like and who controls your “you”?

Paul Madsen works on these big problems every single day atPing Identity– a company specializing in securing identity – and we try to cover as much of the good and bad of this soon-to-be always connected world in this episode.

Full show notes are available here:

Key takeaways from this episode. Click on the link and the video will take you to that clip

Rob: Hello everybody, and welcome to Untether.tv. I’m your host and founder, Rob Woodbridge. It’s not everyday more and more I find that I’m doing this, but it’s not everyday that I get to bring in somebody from Ottawa, which is my hometown, which is the capital of this great country called Canada. Yes. thank you. We’ve got Paul Mattson, who is the Technical Architect within the CTO office at Ping Identity.

We are going to be talking about a whole bunch of things but the real essence of this is we’re going to be starting to understand the implications of the Internet on things of our mobile world. Not only that, but also about identity and how we actually can use mobile to leverage identity in order to be able to do things faster, do things easier, protect your identity when it comes to downloading applications, maybe even try to figure out how we can use these damn things to open our doors and start our cars and that promised land of maybe even the mobile wallet. Paul, do you think we can touch on that?

Paul: Well, we’ll see if we have time.

Rob: Yes, exactly. We’ve only got a day. Paul, thank you for doing this. I really appreciate your time, man.

Paul: Happy to be here, Rob.

Rob: Tell me about Ping Identity and I want to understand what you as a Technical Architect within the CTO’s office do, does for a living. So, what is Ping? Who is Ping Identity?

Paul: So, Ping aims to provide standardized and secure identity mechanisms and technology between our customers, their end users typically and the applications that those end users need to be able to get to. So, specific example, a large enterprise wants their employees to be able to access SAS applications, Sales Force, Concur, et cetera, and they want to do so without requiring that those employees have new and unique passwords to quickly forget them or write down on a post-it.

So, what we provide is a standardized identity layer that via federation protocols, if you want to I can ream off some acronyms for you, that allow that employee to get into the SAS without any additional passwords, without dealing with the burden of managing those passwords when they inevitably forget them. So, everything ties back to the, their enterprise active directory identity that they log in everyday and off that, they’re able to access the apps they choose to use. So…

Rob: That’s pretty… I mean, this is a problem. I’ve often talked to companies here at Untethered around this very thing, around security and identity and trying to figure out how these devices that we carry or whatever device it’s going to look like that we carry or where is going to have an impact on this space, so I’m really excited to figure this out but… and we’re going to get there, but I also want to know what you do within the CTO’s office. So, what’s a technical architect?

Paul: So, within the CTO office we’re sort of mandated to look out two or three years to see where industry’s going, see where the trends are and try to help our customers understand those trends and what opportunities and challenges they provide, and also understand you know, the customer’s needs and requirements so that ultimately, you know, via our product management and development teams we can address those challenges. So, we try to stay ahead of the market to some extent and ultimately help our products meet those challenges at the right time.

Rob: So you get a good advantage point of you know, what bets to make, ultimately, in this space, right, and they’re calculated bets, I bet.

Paul: Yeah, hopefully calculated. We use the Ouiji board only when necessary.

Rob: I think you use the Ouiji board when you start, right? When you start a company it’s like, “I think we’ll go over here.”

Paul: Yeah. We’re mature enough that we’ve gone through that phase. So hopefully we’re a little more calculating now.

Rob: You spoke it to the gods already and they said, go here. We’re past the god’s point now we’re into the praying part, right? Is that, that’s ultimately what is a company’s life. How long has Ping been around?

Paul: I think Ping’s been around seven, eight or nine years.

Rob: Yeah.

Paul: I’ve been there about three years. So, I work in that CTO office. I’ve talked to customers. I get to research new spaces, part of the reason why we’re talking today, and participate on some standards. One thing that Ping’s always been proud of is that we’ve always emphasized the importance of standards for that identity layer, right? It’s possible to do all that with proprietary manner but it you know, it locks you into your partners. So, we’ve always pushed standards and, part of that commitment is actually working on the groups that define those standards. So I, like other members of the team, to participate in that manner.

Rob: It’s an important comment there when you start talking about standards it that your building these standards out. I’ve met a lot of companies in my days, a long time in the technology industry, that have tried to create the standards and on the fore front of those standards. And, you know built entire businesses on things that weren’t standardized yet and then all of a sudden a standard emerges and, and, their so far off the path that there’s no company left. So it’s interesting you know as you are building these standards out, how do you balance the standards with what you guys are doing within the company or you find a fee in front of a head that, that, you know, your on the path of the company and the standards emerge.

Paul: So, so the nature of the use cases that customers look to use for by definition imply into interaction with their partners or customers or, or other businesses.

Rob: Right.

Paul: So you just can’t achieve any sort of scale without standards. So, so we’ved always believed that we would differentiate ourselves on the… of standard support we provide. On the additional support integration services around those standards. You know, standards ultimately are meant to even that playing field, we always felt we could compete on that playing field, on that level playing field more than adequately.

Rob: Well, you know it is fascinating, it love this. You know a nine-year company in the city of Iowa. You guys, it seems like every other meeting company or auto based company is a low profile. Right. Every once in a while you know something emerges but …

Paul: You have to clarify, to clarify I, I’m in Iowa, and my cold unfinished basement…

Rob: [laughs]

Paul: But, it is based in Denver and Boston global offices but I am…

Rob: Way to go. How did you find this opportunity? Did they find you? Or, did you find it?

Paul: So is was participating in a standards group, early standards group around this space called Liberty Alliance. And necessarily, when you participate in these standard groups, you meet other… you meet people from that same community who are doing the same thing, so it’s tailor-made for career networking. [laughs]

Rob: That’s beautiful.

Paul: When it’s, when it’s time to move and the context of participating in Liberty I, I met my current boss, Patrick Harding, who is now CTO of Ping.

Rob: That’s, that’s an important lesson isn’t it? Especially from the cold north, right, is that if you really want to go and spread your wings somewhere else there’s opportunity that these, these, these, groups or peer groups actually lend itself very well. And, this is not, you know, getting a job show, but it is interesting the way that you can go about doing that. I like hearing those stories.

Paul: It’s the only reason I am half way polite to many people.

Rob: [laughs] Half way polite is that a routing, is that a routing as you work for a US company?

Paul: It’s a constant challenge.

Rob: Yes. I’m going to have to apologize.

Paul: It just in spelling.

Rob: [laughs] Its in the spelling the currency and everything else. So listen you know, I, went through your blog and what was really interesting about what you, what you talk about quiet often is, and you can see, and you can read Paul’s blog at connect id.blogspot.caa if your interested in this and it musing and its very, its fantasizing. There’s a, there’s a little bit of … you know, I don’t know, acidity in some of the words, in some of the posts. And I, and I like it, because it makes you think and, and one of the things I really wanted to talk to you today about this, this perception about the internet of things being and your perception about the internet of things being, being wrong. I think, is what, I’ve determined or you know, or what is wrong with today’s perception of the internet of things? Because everybody thinks it’s just going to be this connected node of mesh network across of all this nodes connecting. And, and, and, how, how do you look at the internet of things.

Paul: So I don’t know if I’d categorize it as wrong. I mean, I think lots of topics are wrong.

Rob: [laughs]

Paul: But not that one, what I, my sense is that, that discussions about the security requirements of the internet of things to date have, have not sufficiently emphasized identity. Not surprising, coming from an identity company, but you see identity everywhere you look. Right.

Rob: Yep.

Paul: Anytime you do something meaningful online your identity and the identity of the applications that you’re interacting with, you know, where are the heads, and need to be accounted for. And the discussions when I started looking IOT 6, 7 months ago. Everybody talked about the importance of security. we’ve got to lock this down, we’ve got to encrypt it, we’ve got to store the data securely, we’ve got to prevent malware on the devices, et cetera, which are all important.

But I wasn’t seeing at the time much discussion of the identity requirements for the internet of things and how you really can’t have a secure system if you don’t have secure identities. How do you authenticate your Fit Bit in a standardized manner? Currently, I guess, it works, but it works within the silos [SP] of all these individual wearables and things in their clouds. That’s fine for now, but over time, we’re going to need something bigger. We’re going to need a broader identity platform across all those things, if all these use cases that every IOT Whitepaper presents as the future are going to come to fruition. If my fridge is going to talk to my toaster. We need identities for those two devices.

Rob: You’re absolutely right, and there’s a side to this though. Like Fit Bit, or like Apple, or like Amazon…Is it the flex that you’ve got there?

Paul: Yes it’s the Flex.

Rob: Yes.

Paul: I’m envious of the Force though. I’ve got to look at that.

Rob: Well all of these systems are closed for a reason. Amazon is closed and Itunes is closed-loop system, and Apple wants you to buy an Apple computer, an Ipad, a laptop and an Iphone. Will they be interested in this kind of view of internet things, where it’s kind of standardized identification or something to that effect that allows me to share data across all of these platforms? Is it in their best interest?

Paul: I’ll push back a bit. Amazon is an example, and the other large platforms are open in a controlled manner. Amazon will allow its data to be accessed if the appropriate business relationships and appropriate consent happens. Google has lots of open API’s that, with the appropriate credentials, third-party sites can get at my data as an example. So if Fit Bit ever wants to participate in something broader than its wristband talking to its cloud service, necessarily it’s going to need to open up. Or, open up its data to maybe a medical service that wants to query my activity, or it needs to be able to query other services where different data that I have is hosted. Those mechanisms exist. Those are relatively simple when the integration happens between the clouds. Protocols exist to simplify that and create a user consent model. That’s great.

Rob: About that cross-pollination [SP] of this data. It has to be within their best interest doesn’t it?

Paul: …and maybe because they recognize that they’ve allowed this third-
party, trendweight.com, to, with my consent and with my enabling the integration to call their APIs. TrendWeight provides, to me, a much more usable interface to see the trends in my weight. So from Fitbit’s point of view, the value is I’m seeing more value indirectly in Fitbit.

Rob: And because you’re bringing that in. How does identity play into this?
So, I mean, you obviously gave up some identity, some rights to be able to bring that data into Fitbit, or export data from Fitbit into TrendWeight.

Paul: Right.

Rob: So is that all we need or is there a much broader, bigger story that has to happen in the identity platform?

Paul: So, the integration between TrendWeight and Fitbit is, I suspect, based on an Internet protocol called OAuth. OAuth is this delegated authorization protocol whereby I, the user, am able to tell Fitbit that,
“Hey, TrendWeight is allowed to do these things against my data, specifically pull out my weight data, but not my step data.” I can’t remember what the consent operation was.

Rob: Yep.

Paul: So OAuth came out of the consumer web. It’s seeing adoption across the enterprise as well. So definitely that sort of control will be critical for IOT. I mean, that’s presented as a significant adoption barrier for IOT. The users fear that they wouldn’t be in control of all the data that’s being collected about them. So, OAuth and things like it, I think, will be critical to IOT. But not necessarily just between Clouds, right?

So, the integration between Fitbit and TrendWeight happens up in the Clouds, completely separate from what’s happening down on my wrist.

Rob: Right.

Paul: But that model of me, the user, being given an explicit consent step and the ability to meaningfully differentiate sort of granular controls, I think that will be important, even enabling interaction between devices. So if I want to connect my toaster to my fridge, I should be able to say,
“Well, okay. But only between certain hours, or only to check bread stocks and not vegetable [stores].”

Rob: Got you. Also, to make sure that my TrendWeight number is at a point where I should be eating the carbs that I’m putting in the toaster. Right?

Paul: Yeah.

Rob: So they lock the fridge, disable the toaster. I mean, you don’t…

Paul: That’s advanced integration. We’ll get there.

Rob: Yeah. I think that all of this thing is supposed to make our life a little simpler, and everybody comes up with these great theories about how this is going to lay out. This is a perfect example of it, right? Is that I’m just not going to be allowed to and then I’m going to be in there with a chainsaw hacking down my fridge so I can get the toaster.

But what about this concept of Facebook and Google, and LinkedIn, and Twitter trying to be the authentication? I think that they are really identity companies right now because they are leveraging this. You sign in with these guys everywhere.

Paul: Absolutely.

Rob: Not just on the web, but in mobile as well. How does that compete? How does this play? Which is going to win? How do you compete with a billion, two, in numbers when you’re talking about Facebook?

Paul: So I was reading an article today, I think it was “ReadWrite”,
arguing that social identity, as provided by Facebook Connect or Google, is going to be an important ingredient for IOT if only because it would mitigate the number of accounts users need to create. Right? That’s the ultimate, or one of the…

Rob: Biggest challenges.

Paul: …drives. Yeah, is that I don’t have to create a new password when I go to this potentially cool application. Instead, I connect it to Facebook. I can log in based on that. But importantly, the app also gets to learn useful information about me that Facebook has stored about me, or Google, etc. Critically, in that model, it’s easy to turn off that relationship if and when appropriate.

So, this article argued that just the scale of things that we’re going to bring into our house and need to establish a relationship with argues we need something central. He said Facebook or Google. Maybe it’s your enterprise, if you’re bringing them into your office and not your home. I think there’s logic there. Right? Just the scale of things that we’ll need to bind our identity to argues for some sort of centralized identity store.

Rob: Have you seen it? Is it Facebook? I mean, when you think about Behemoths, you think about the guy who has 1.2 billion users worldwide, that have already given at some level a little bit of ability to share information about me.

Paul: So I think for some things it’s a viable relationship, right? I mean I can log in to FitBit with Facebook or Twitter.

Rob: Right.

Paul: Because there’s a justifiable social aspect to stepping around, right? Whether it’s gamification or just bragging about my high score that day. But is there a plausible social relationship, or social connection to my Nest settings? The temperature at which I keep the house at? Do I want to share that with my social network? I don’t know, maybe there’s an opportunity for the Facebook of things, right? Where it’s a centralized identify service, it allows me to connect to all those various things and save me the hassle of individually managing accounts at all those things, or their corresponding clouds. But importantly, also defining rules that govern their interactions. If this than that is currently providing the rules, but not providing the identity infrastructure.

Rob: Right, right. I hear that. And in the back of my mind, I think I’m using that. I regulate what services I sign in with what social service. As a perfect example, I’ll sign in with something that I’m not interested in giving a lot of my information to, I’ll use Twitter for that. There’s very little information that Twitter has about me personally. And then for the things that I’m deep-rooted, which is very few times, I’ll allow authentication with Facebook, and then if it’s business related, I’ll allow authentication with LinkedIn. I’ve bucketed my identity, or my level of desire to give up my identity based on those three. Is that logical?

Paul: Absolutely. So I was going to say that you sort of define these personas. Typically, people think of a business persona and consumer persona, but you’ve also created that third one for Twitter of almost a disposable persona.

Rob: Anonymous, almost, right?

Paul: Right, because Twitter doesn’t know much about you other than your tweets. So that this critical in the enterprise, BYOD phones. If I’m bringing in my phone, I should have certain rights over how the space on that phone is compartmentalized and kept separate. but people will do that, I think, people do that already online. And just again, the number of things that we’ll need to interact with. If it’s a thing that I just bought and brought into the house, than that implies a permanence, right? Maybe that meets your criteria and you connect that to Facebook. If it’s a bus stop, that I’m just walking by and I just want to find out when the next bus comes by and I need to use an existing identity, that’s a more transient relationship, and so the identify that I choose would likely change as well.

Rob: I love that. I think about the deep integration that these social identity companies, Google and Facebook in particular, and Twitter, have managed to creep into the phone’s operating system. So if you’re using a native Android device, you’re logging in with your Gmail account, right?
Your identity has been stamped as that person. When you use an iOS device, the ability to tie your Twitter and your Facebook accounts directly at the Operating System level to ease that identity process. So what does that say about those two big, I mean, what other operating system is there in the mobile space? When they are at the root, succumbing, or succeeding to the social identity groups.

Paul: Well I think from the user’s point of view, it’s just the convenience. You add accounts into Google accounts, or corresponding in iPhone, and it’s just there for you to use the next time you download that app. It’s seamless. It’s seamless single sign-on, ultimately, for the users. The advantages for Google and Twitter are pretty clear as well. Or Google and Apple are pretty clear. They have that much tighter connection to you, they know everything you do on your phone. Whether or not they abuse that depends on their current business model I guess.

Rob: And both Apple more than Google, Amazon is the clear winner here and who knows where Amazon comes in in this but when you start to think about what Apple is doing with this closed-loop environment and iTunes, it knows a considerable amount about you in this closed environment. And it knows your identity, but it’s tied to a credit card company, so ultimately does it always funnel back to that or ware we going to be looking at different ways. Because when I on an iPhone, I use my fingerprint it knows who I am. But when I go to buy, it validates who I am with my fingerprint or a password and then it goes to my credit card company and says, “Yup, this is who he is.” And then it authenticates, so ultimately, authentication comes down to credit card companies, does that shift?

Paul: So, I think authentication also comes down as you just described it, the phone is critical.

Rob: It’s the gateway, and importantly, it’s the gateway that’s specific to you. So, if the phone knows that it’s you operating it, via the fingerprint, then the phone ultimately can assert that to the online applications that you interact with. So, the phone, currently, is the first manifestation of things that will facilitate your interactions online. I mean, the phone is a thing, it’s the first device via which we access applications on line. Google Glass, another example, but even the FitBit ultimately I think and wearables like the FitBit will be able to assert something about my identity to online applications. Maybe just the fact that the wearer of this wristband is within his household, because, you know, the household you know it’s likely Paul or one of his family members, and you can make meaningful decisions based on that. Yeah, I think ultimately we’re going to be surrounded by these things where we have previously bound our identity to theirs, and they are going to, hopefully on your behalfs, facilitate our interactions with the applications that we deal with.

Paul: I get so excited talking about this stuff, I’m trying to contain,my smile simply because, my jubilation because there’s two sides to this. You either get very excited about these opportunities that are out in front of you which is, immediately I start to think about the house or the home operating system that you know, issues commands based on who you are and gives you the right to be able to do things. It’s perfect for kids ultimately right. Like you can’t use your hot tub after 9:00, your kids can’t use your hot tub after 9:00 p.m. with more than two people in it. It just shuts down, right? So, those are the kind of things…

Paul: There needs to be exceptions to that rule, clearly.

Rob: Yes, exactly, I hear you, but there’s this house or home operating systems, and there’s these place operating systems, I call them dashboards. So, you’re in your car, it’s your automobile dashboard. You’re in your house, there’s multiple dashboards in your house; your kitchen, your living room, you’re entertainment, your work all that kind of stuff. And then you go to work and it’s a dashboard as well and I start to think about how those things connect to each other and the only thing that I’ve been able to come up with is these devices. The phones that we carry, the things that we wear on our wrist ultimately, or the fabrics that might be women with some kind of sensors or something to that effect. But it all comes down to the ways in which we identify who we are. And that’s what we end up talking about, is that there has to be that step that gets me online. And right now it seems to be a password, which is not the best source of identity control, is it?

Paul: Preaching to the choir.

Rob: Yeah. So, I interviewed a company based out of Toronto, they have a product called the Nimmy which it takes your EKG. It’s a wristband and it takes your EKG, and at the beginning of the day you put it on and you push your finger down and it matches your EKG and it says, “Okay, you are authenticated as you.” You are you, and now anything that was within proximity that uses whatever technology, low energy Bluetooth that requires this, all of the sudden, it will open. The door will open, the computer will come on, your bank account will open, money will flow out, so they’re trying to eliminate the password. But is that the thing that we need to do, is that the first step in this for identity?

Paul: So, yeah I heard of Nimmy and definitely cool. I think it’s an example of a pattern of authentication that will become more and more important where instead of an explicit login operation, whether password or whether currently swiping something on my phone, authentication just happens right? It’s less authentication than, almost, recognition. I’m just doing what I’m doing. My heart is beating, I’m walking. My eyes are scanned. And all these systems are sensitive to who I am and what those patterns of behavior were in the past and are able to, from my point of view, just magically and seamlessly assert my identity out to the things and applications that I confront. Whether it’s a door lock or, you know, that fridge in the previous scenario. Have I done my step goals for today?
So I bought a kit from smart things which is a, seems a leader in the automation of home space and I was worried about my sons playing too much on the PS3, so what I did was I stuck a motion detector in front of the TV. I told them I set up a rule that monitored their access. Of course, I didn’t, because I was too lazy. Just telling them that I was monitoring them, my own little police state, served the job.

Rob: That is awesome! That is awesome! I’m absolutely…

Paul: Hey, lying is good parenting, at times.

Rob: It is, it’s a good bluff. It’s a good bluff until they decide that they’re going to test it anyways, but that is, like, you know, the identity realm, obviously, is so imperative, and once we get past this, once we, once we get on the network, so to speak. Once we become, we actually, I don’t even know how to describe it. We become authenticated, right? So, we are who we say we are. What do you think the implications of this is, going forward? The internet of things where there are nodes on the network all the time and you’ve given rights to whatever device you’re carrying to interact with those nodes in the way that you want it to, because that is very important. What implications are we looking at here, down the road, that you’re looking at through Ping in the CTO’s office?

Paul: So one thing I would, I guess I’d challenge, is the premise that you, as you describe it, are authenticated. Which, you know, suggests a sort of a binary model of going along and I’m not authenticated and all of a sudden, boom! You need!

Rob: Bing.

Paul: Bing. I think what we’re getting to, especially if with this sort of passive, and multi-thing, model of authentication is the level of which I’m authenticated, the level of assurance that some relying party can ascribe to the fact that I’m Paul, ultimately depends on the application I’m trying to interact with, right? And, in rather than this binary step function of, not authenticated to authenticated, there’s this continuum of, am I authenticated enough for what I’m trying to do? You know, we do that now online with, you may be logged into your bank but if you want to buy some stocks, you have to give a trading PIN or something.

Rob: Right. Right.

Paul: I think phones and all those passive authentication mechanisms will just smooth out that curve, even more so. So, yeah, OK…

Rob: How far along are we on that, though? We’re just at the beginning of that continuum. Identity continuum, I would say?

Paul: Yeah, definitely, [Uni,] as an example is one sort of enabling function, right? I didn’t need explicitly need to do anything to log into
[Nimmy], I was just myself. There’s lots of passive location model for authentication now. If I’m in my house, then, something different happens with respect to my access to apps than otherwise, than if I’m off the network. So, that was the point. But, you were asking about the consequences or the implications…

Rob: Yeah.

Paul: Of being on the network?

Rob: Yeah. I mean, I think there is always this concern, right? So there’s difference between security and identity, and identity as we have started to see is this, is now emerging, right? Even with the proliferation of the Snap Chat use, right? So, 300 plus million people using Snap Chat. We used to chastise the younger generation, saying, “You don’t care about your identity or your security,” and now, obviously, they do, because they have migrated from Facebook into this, kind of, not anonymous but temporary world. And I think this temporary world is very interesting, simply because, you know, you have identity hits, right? Where I am who I am, I send you a message but then I am very concerned about my perception, or what I call this self actualization. The perception of who I am later on in life, so I am concerned about that, so I keep that stuff to myself and it disappears. So, what do you think about this temporary world?

Paul: I think, I think, it’s always going to be relevant. You know, ultimately, there will be services that will emerge with different, a different sense of what is the appropriate level of sharing and socialness versus anonymity and…

Rob: So, like a digital conscience or a digital mother that says, “You’ve had six beers, you shouldn’t send that out.”

Paul: Well, so if you subscribe to the digital mother then yeah, you’re buying into that model, but you shouldn’t be forced to sign up for that sort of chastising nor should you be forced to sign up for Facebook, right?

Rob: Mm-hmm.

Paul: You should be free to select the appropriate service based on your preferences and then, once in a service, you should be able to customize their privacy rules. And good services give you that sort of granular control and less than good services set poor thoughts typically.

Rob: Well, how do you, you know, I’m so fascinated with this because we talked about this kind of layer of identity across everything. How, is there a company that can, that we’ll be able to trust well enough to be that layer of identity? If we, if everybody sous on Facebook, right, you know and you start to see the ebbs as they go public and they try to make money and the same thing that happens with Twitter and with all the other companies is that there needs to be that layer on top of it that controls our identity, or that allows us to manage our identity.

I’m not a skeptic, but I don’t know if there’s going to be a single company that I trust to control my identity or where I can actually control my identity from.

Paul: But you probably don’t need a single company, right? You need a manageable number…

Paul: You can manage the different slices of your life that way. For some, maybe it is a single company. And if that’s their choice, that’s fine. I know people that reject you know, I’ve set their browser to reject all cookies. They’ve made a calculated decision to deal with less-than-ideal usability to give them the level of protection they want. That’s appropriate.

Rob: But is it going to be credit card companies? I was thinking about this is that who knows like, for me it’s the debit company up here in Canada which is Interac is that they know everything about me and I, you know, without giving them explicit absolute… and then they don’t sell your data I hope, without giving them explicit ability is that they know everything, all of my transactions for the last 15 years and I trust them. Maybe…

Paul: Yeah.

Rob: …I’m foolish. I don’t trust my bank, right, and I don’t trust the credit card companies. I don’t trust my carriers. I don’t trust Facebook as much as I once did, so it could it be that it ends up being a company like Interac or a company like a credit company that is the identity carrier, the bearer of my identity?

Paul: So, they’d argue their advantages. You already have a relationship with them.

Rob: Yeah.

Paul: You have a financial relationship, so dealing with all these services becomes far easier. PayPal has tried to make the same argument for themselves, right, with varying degrees of success. The banks, all the operators would love… well, the operators, you know, or Canadian Telcos, would love to be something more than a pipe pushing those bits between things around.

Rob: They’re trying.

Paul: They’re trying, yes.

Rob: They have to. So, I kind of interrupted you around this is that the like, when you’re looking two or three years out there’s got to be opportunities that you’re looking at, you’re thinking well, okay. There are companies that are going to be able to do this. There are companies that are going to be able to do this and obviously for Ping we’re going to be doing something as well, but you know, is there anything that you’re seeing that you can share with us in this space that you think you know, this is going to be interesting to watch?

Paul: So…

Rob: I love the wearable stuff, right? I think that you know, somewhere on this body it’s not going to be 13 wrists and eyeglasses and whatever it is, but somewhere on this is going to supersede or remove my need to have my phone as my identity piece, right? So, that’s the way I look at it. But I, tell me what your thoughts are.

Paul: So, I agree with you that the phone has sort of a temporary prominence in our lives, right, and all the other wearables that we’ll attach to ourselves will diminish that importance.

Rob: Mm-hmm.

Paul: To the other question, so I’ve come across a company called Everythng that aims…

Rob: The perfect name, isn’t it?

Paul: Well, it is. The spelling is E-V-R-Y-T-H-N-G, right? They clearly couldn’t get the domain they wanted.

Rob: I know.

Paul: So, they aim to provide and what caught my interest initially is they specifically model what they do as providing an identity layer for things specifically consumer things so that the way I think of it… well, the current reality is, is when I buy something off of the shelf, typically, I now have a relationship with that thing, but the manufacturer of that thing is out of the loop. They lost that connection the moment I walked out the store. Now, everything’s premise in value proposition is that if the thing is connected, then the ultimate relationship between me and the manufacturer and the distributor can be maintained and hopefully nurtured both to my advantage and theirs. So that I think, people talk about Internet of Things, home-automation, or industrial internet, but I hadn’t seen before consumer goods being included, non-electronic consumer goods. Sort of, their archetypical use case is a bottle of booze that is able to maintain a relationship back with the distiller.

Rob: Yes, I hug my wine every once in a while, though, sometimes.

Paul: Sure, some people have close relationships with booze.

Rob: With booze, yes. Well,we’re Canadian, of course we do.

Paul: You have to stay warm somehow.

Rob: Yeah, exactly, we have to stay positive in the winter. That opens up an entire other conversation around, you know, I think, that does this, this relationship that you’re creating, and this is what it ends up being. It’s the ability to share my identity with whom I want, when I want, so when I buy a lamp, something non-technical. Sometimes tech lamps are technical for me as well, but when I buy a lamp and I want to create a relationship with this brand, where I bought the lamp, does that, I’m giving my identity to the manufacturer, which is so unique compared to where I would be, typically I would walk into a hardware store or a lamp shop and I would have the relationship with the lamp shop. Does identity, does that ability shift the way that retail is done? You know, because now all of a sudden, I’m getting the notifications from the manufacturer directly, not the retailer.

Paul: Good point, so you’re cutting out the middle man for hardware, like has been done for other services, news, et cetera. No that’s a good point. I’m sure the hardware shop wants to stay involved, right? They want to sell. They’re happy that I will be convinced to buy a new lamp when a new line comes out but they want to be involved in that subsequent purchase as well.

Rob: They want their margin right?

Paul: Yeah.

Rob: That’s what I think, is that we are so early in this game, where the disruption has yet to happen and we’re talking about this and at that point is how we use our identity as a mechanism to then create the relationships that we want to at the time we want to, and I’m fascinated.

Paul: Have you ever heard of Vendor Relationship Management, VRM?

Rob: No.

Paul: So, VRM, the premise is to turn CRM on its head. So, rather than looking at that relationship between a consumer and a seller form the seller’s point of view, you look at it from the consumer’s point of view and you manage your vendors, you put out RFP’s. you know, if you want to buy a lamp, you distribute an RFP saying, “This is what I’m looking for, this is my price range, et cetera.” That as a simple example, that not specifically about Internet of Things but in that model the consumer of the lamp instead of by default going back to the original hardware shop where they bought the first lamp, would be able to shop around and say, “Well, okay, I definitely want this new lamp, but I want the best price, so you bid on my business.”

Rob: Well, where did you buy your FitBit from?

Paul: Um, Best Buy.

Rob: Okay. So, I bought mine right from FitBit. Right? So, here’s a perfect example that I’m not sharing any other data other than, with FitBit itself. And although I could buy it everywhere, I chose FitBit for some reason, I’m not sure by. So, I don’t know where this leads but there’s got to be a starting point. So, you know, I think that there’s huge opportunity. Let me just finish that thought about the manufacturer’s, I think that there’s huge opportunity. Just like these aggregate applications that bring your health data into one app, so you’ve got everything that you’ve got into one application. And as we’re doing this quantified self thing, I looked at that and say, listen, I have all my data in disparate apps and I want to bring them all into one. And I think that from a manufacturing relationship, a product relationship I can see, that I don’t want to have 30,000 apps on my device. I want to have the one app that brings all that information into it. So, here we are talking about that information and sharing as well, around your identity. So, there’s opportunity there for aggregation, obviously, when it comes to the Internet of Things, these everywhere where want to see all of my rights, all of the data that I need to in one interface. There is opportunity there, right?

Paul: Absolutely, Scott Jensen blogs about the usability issues around IOT. He has made the point that, if everything has its own app that you need to install and curate on your phone, it’s just not going to scale. He argues that pushes us away from native app Stagemail 5 but, to sort of separate that to your point is, yeah, you need something that is able to look across all of these different things. Not just to be able to manage them and to check their status, but to enable that meaningful level of integration between them. If all of those silos are just persisted through a single app, we haven’t gained much.

Rob: Basically you need your own operating system is what it ends up being. So that is Scott Jensen. Throughout all of this where does it start. This is my last question for you. How does this start? We can talk about, what is it Deloid [SP] and their 50 billion connected devices on the planet. That is a number that is just ridiculous to me. I am only interested in the 9 that are relevant to me. The 50 billion number is ridiculous. What is the first thing that is going to fall that is going to open the floodgates in this industry?

Paul: I have often wondered why ever IOT presentation has to start with a number justifying the market. Does anybody doubt that the market is going to be big?

Rob: There are 7.5 billion devices floating around the planet, in your pocket. It’s justified.

Paul: So wearables are, from a consumer point of view the first manifestation of IOT. N to M in the industrial world has been around for years. To some extent, GE’s industrial internet is really just evolving those technologies to leverage IP and the internet-based protocols. The value of being able to see real-time statuses of your machines, and now jet engines, has long been established. So maybe it will come from both directions. It is being pushed now in manufacturing. Smart cities, I think, for the most part, that will be invisible to users. They won’t be aware that is going on. Home automation, I don’t know. We’re clearly early adopters. I am sure you have some sort of hub talking in your ears right now? Wearables are useful, they are a relatively simple first step for normal people to take.

Rob: I am with you. Who knows where it goes, right? I think the things that we have learned here is, listen, there is this core thing that is happening. Most of the stuff we are using today is transient, we know that. The lifetime of the desktop computer shrinks as the tablet industry grows. Our dependency on the operating system will shrink as we have access to wearables and another screen somewhere else. We need dumb screens, we don’t need smart screens and I think that ultimately, the transition happens when you take your identity out of your phone and put it onto something. A wearable or shirt, I don’t even know what it is. Something that is embedded in you, a chip? I don’t know, but it starts there. Maybe it just starts with your left or right wrist.

Paul: Left for personal, right business. Maybe its a mullet, party in the back?

Rob: It’s a mullet. And the thing is, I am left-handed so it will be backwards for me anyway.

Paul: I think we can deal with that.

Rob: We’ll figure it out. This has been fascinating. I would love to have you back on, Paul, as this emerges and we get a centering view of what is going on around identity. As you said, the distinction between security and identity are very important to understand, the understanding of how identity is the gateway. Whatever device you are using becomes the gateway to authentication, the true you. Whatever happens beyond that, when it comes to wearables, devices, the internet of things and how we connect and interact with that and where this thing goes. It’s pretty cool. It must blow your mind. I would love to be able to be immersed in it all day thinking about this stuff.

Paul: Yeah, I’ve got a great job. It allows me to play around on the edges, as it were. I would love to come back. I will report on my job [own-op]
experience.

Rob: So where do we send people? PingIdentity.com for your business?

Paul: Yeah, that is where I work. If they are interested in that sort of standardized identity layer for their current business, happy to talk to them. And if they are interested in our explorations, because this is very much a learning process for us as well around internet of things there will be some resources there as well.

Rob: And then send them to your blog as well if they are interested in a little bit deeper dive?

Paul: Sure and seeing that certain level of acidity that you referred.

Rob: Yes. You could pronounce it connected? Or do you connect ID.com?

Paul: I’ve always said connected, but I don’t judge.

Rob: If you are listening to this go to connectid.blogspot.ca. Paul, thank you for doing this.

Paul: This was fun Rob, thanks a lot.

Rob: We have been speaking with Paul Madsen, who works in the CTO office of Ping Identity. Go to PingIdentity.com or connectid.blogspot.ca. For you guys who are listening wherever you are whatever you are doing, I really appreciate the fact that you tune in so often. This has been a great year for Untethered.tv. It’s because of you guys out there listening, and guests like Paul, who come on here and share their expertise and showcase their company in such a great way. So thank you for being a part of this, and we will see you next time on Untethered.tv. Paul, thank you sir.

Paul: Bye, Rob.

Be sure to subscribe to iTunes to be notified on all future episodes: Audio or Video

About Paul MadsenPaul Madsen is a Technical Architect within the Office of the CTO at Ping Identity. He has participated in various design, chairing, editing, and education roles for a number of identity standards, including OASIS SAML, OAuth 2.0, and TV Everywhere. He holds an M.Sc. in Applied Mathematics and a Ph.D. in Theoretical Physics from Carleton University and the University of Western Ontario respectively.

About the author

Rob Woodbridge

I'm Rob, the founder of UNTETHER.tv and I've spent 14 years immersed in the mobile and pervasive computing world. During this great time I've helped some of the most innovative companies grow their business through mobile. If you are in need of a mobile business advisor or coach, connect with me here to get things rolling.

The show was amazing and provided with a lot of insights into breaking ground topics: IdM, IoT, … .

One thing that I missed however is a take on how public digital identities managed by governments could be used as a foundation for other digital identity based systems so as to loosen the grip of internet behemoths on my digital self while betting on trusted relationships built over time using traditional identity systems (passports, id cards, …) which accompany oneself usually from day one of one’s very existence.

I would be interested to read what you think governments’ roles should be, if at all, in the space of IdM.

Hi Sergio da Silva – for some reason your comment is in white text so I literally didn’t see it :).

You bring up some great points that we didn’t cover – funny how we turn to commercial entities automatically and don’t even consider the government’s role in all of this…paranoid perhaps?

I think the basis for all identity stems from the common documents we all use to prove who we are in society – social insurance numbers, birth certificates, passports, etc. So identity starts with the most “trusted” source (government) but controlling identity should not rest with the issuer. Does that make sense?

I’ll ask Paul to comment as well.

Paul Madsen

Hi Sergio, I’m glad you found value in Rob & I chatting about Canadian weather & climate.

With respect to your questions about the role of government issued identities on our online interactions (and by extension the Internet of Things, I agree that the Govt of Canada *could* act as an identity provider for me as I traverse the web, but why would I want them to?

In our chat, Rob indicated he used a different social identity provider (e.g. Facebook, LinkedIn etc) based on application context. I expect we all do this – whether as a conscious effort to protect privacy or just reflecting the different social groups in which we participate.

What would be the online contexts for which I would choose the Canadian government as the most appropriate identity provider? For myself, this would be a small list – doing my federal taxes, registering a birth, changing my name, renewing a passport etc.

I would explicitly *not* want to use my Canadian identity when creating an account with Angry Birds, provisioning a new phone, or adding a fridge to my home wifi. I dont need nor want the government mediating those actions (and the more fundamental relationships they represent)

And I’m Canadian, with an (at least currently) lower sense of distrust of my government than true for my southern neighbours (please note spelling 🙂 )

I’ll add that the premise of the US NSTIC and other similar government initiatives is that government applications *accept* 3rd party identities (Facebook et al) for citizens – the exact opposite model you propose 🙂

I would like to thank you for highlighting the fact that the use of a specific identity will mostly be driven by context and that ultimately the user should be able to choose.

Currently I am trying to understand the possible approaches for implementing identity management in a project aiming at establishing a self care portal for a telecommunications service provider including the need to embrace legacy portals as well as trying to establish the foundation for future initiatives.

We are thinking of introducing our own identity that could be used also for other application providers. Still we’d also like to be able to associate to our own identities also third party identities that a user has chosen to link against (Facebook, Google, … but also LuxTrust which is the government backed digital identity solution for Luxembourg). The subject is relatively new to me and I need to get a better grasp of what this is all about.

Indeed some people whom I talked about the subject also indicated that some application providers (e.g. banks) are considering allowing their customers to authenticate using 3rd party identities (Facebook, Google, …) while they would only authorize certain actions provided users authenticate for these actions with a more trustworthy identity (LuxTrust, …) against which authorization would be checked.

Again thanks for exchanging your points of view and feel free to comment on weather and climate anytime soon 😉

#ns

Paul Madsen

Hi Sergio, it appears you see the operator as a sort of an identity proxy between a user’s existing identities, both social (Facebook, Twitter etc) and government (LuxTrust) and applications. There can definitely be value in such a party as it can mediate both trust and protocol from one side to the other, ie Connect from Facebook, SAML to the apps etc.

Some of our financial customers are indeed doing what you describe, using a social identity to establish a relationship with the user (and so be able to better market themselves) but relying on a higher LOA identity (typically one they issued) when the relationship matures & evolves as the user becomes a customer